me/server-configuration
1
0
Fork 0
Code Activity
server-configuration/README.md

83 lines
2.9 KiB
Markdown
Raw Blame History

# VPN server configuration
This is an experimental configuration for my Hetzner VPS and Cloudflare to run a VPN using OpenTofu and Nix, based on [NixOS/nixos-wiki-infra on Github](https://github.com/NixOS/nixos-wiki-infra).
## Configure ssh
Add keys to `target/admin/terraform.tf`.
## Configure .env
Copy `.env.example` to `.env` and fill in the values.
### Hetzner
In the Hetzner Cloud dashboard, go to the project and click `Security -> API Tokens`.
### Cloudflare
In the Cloudflare user settings, generate an API token with write access to DNS zones.
## Configure sops
On the Terraform client, run:
```bash
nix develop
cd targets/vpn/secrets
just generate-key
cp secrets.yaml.example secrets.yaml
```
Populate `secrets.yaml` with the desired values. Run `age-keygen` to get another key specifically for the server and put it in `secrets.yaml` (note that this will only work during installation). Then run `just encrypt` to encrypt and `just decrypt` to decrypt. Put the public key for both the VPN server and the OpenTofu client in `.sops.yaml` in the project root directory.
If you have already installed the server without a key, then run on the server:
```bash
sudo mkdir -p /var/lib/secrets
sudo chmod 700 /var/lib/secrets
sudo chown root:root /var/lib/secrets
umask 0177
age-keygen | sudo tee /var/lib/secrets/age >/dev/null
sudo chmod 600 /var/lib/secrets/age
sudo chown root:root /var/lib/secrets/age
umask 0022
cat /var/lib/secrets/age
```
Or run on the client: `nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age'` to get a public age key from the server's public ssh key.
Then follow the above instructions to add the public key.
## Apply configuration
For cross-compiling on different architectures, you will need to add a builder by visiting the following resources:
- https://nix.dev/tutorials/nixos/distributed-builds-setup.html
- https://nix.dev/manual/nix/2.25/advanced-topics/distributed-builds
Run `nix develop` at the root of the project directory to access a shell where OpenTofu is accessible.
In the `targets` directory, run `just` to update the configurations.
## VPN
To set up the VPN, on the VPS run:
```bash
headscale users create default
headscale preauthkeys create --user default --reusable
```
On the client run:
```bash
tailscale up --login-server <HEADSCALE_URL> --auth-key <KEY>
```
## Troubleshooting
### Hetzner VPN
Some stuff may need to be configured by hand. For instance, the network settings may change with a new installation and need to be updated in `targets/vpn/configuration.nix`, or it may cause the network to be disabled requiring mounting with a NixOS recovery image and using `nixos-enter` to redo the networking and rebuild the system.
It may also complain about a hostname change. Changing the name of the VPN in `terraform/nixos-vpn` from `nixos-vpn` to `vpn` might help but I haven't tested it out yet. Otherwise you may need to clone the repo inside of the VM and do `nixos-rebuild` there.
View git blame Copy permalink